For many manufacturers, “cyber” is an uncomfortable word that is often associated with scare tactics about hackers and ransomware, intimidating language with complicated technical concepts.
It’s really about risk management. At its core, cybersecurity is meant to keep your business operating while protecting your information, just like you take steps to prevent operational risks through preventive maintenance and quality control measures. All businesses need to consider three things to manage risk and to keep their business stable:
You may be surprised to learn that you can use traditional manufacturing principles to make your company more cybersecure. While lean manufacturing and cybersecurity principles may seem unrelated, there are several ways in which they share similarities, especially when it comes to efficiency, risk management, and continuous improvement. Existing champions, such as your lean six sigma expert, can play a crucial role in pinpointing areas of concern and recommending necessary adjustments to processes and controls. If you ensure business continuity and operational continuity, you will see business improvement that leads to bottom line impact.
Think of Cybersecurity as Business Security
Protecting your business involves more than the ability to deliver products and services. Your business success depends on access to information, documentation of workflows, and even tribal knowledge that could be aging out. A lean approach to your business operations will not only improve efficiency but also safeguard information. Some examples (and there are many more):
Workflows: Eliminating multiple touch points from the same department for a sales proposal is similar in nature to eliminating unnecessary movements in your production operation. Standardized work, documentation, and streamlined workflows ensure that processes are consistent and that employees are following established security protocols, reducing risks to your business.
Approvals: Likewise, a clear approval process when multiple people are providing feedback creates alignment within your company and with vendors and suppliers. This alignment enhances the quality of your deliverables and it reduces the potential for misunderstandings or security exposures during collaborative efforts.
Intellectual property: Secure sensitive information that is crucial to your business. Unauthorized access or theft of intellectual property can have severe consequences for your company, including loss of competitiveness and legal repercussions.
Certification/contractual terms: If you were to lose your certification status, would you retain those contracts? Take steps to ensure you remain in compliance in these critical areas.
Operational Security is All About Continuity
Many manufacturers have taken a reactive approach to operational security – as long as a machine is running, they are hesitant to change the dynamic. But have you considered what would happen if system-critical equipment was not available? How could you keep that production cell functioning? Have you periodically attempted to restore information to validate that your backups are functioning?
One of our manufacturing clients made a significant investment in a 3D printer to transform the way they built a component. After discussing the 3D printer, we realized that it didn’t have a backup power source. If they experienced a power outage during the long production time, they would need to scrap the work underway. By framing the issue around operational security, they determined they could eliminate risk from brownouts with a relatively inexpensive, uninterrupted power supply device. This simple security precaution prevented possible costly delays.
Another client invested in multiple CNC machines, all of which were programmed from a centralized FTP server. If the server went down due to failure or a cyber incident, they would not be able to use their machines. The manufacturer realized they needed operational backup, and the solution also provided cyber protection.
Information Security Begins With an Improvement Mindset
The same principles of lean manufacturing or a quality management system (QMS) also apply for information security, only the focus is on protection of information as opposed to the quality of product. For example:
Document management: Do you have defined procedures for creating, storing and removing documents (digital and hard copies)? What if something is lost, stolen, or unavailable? Have you taken steps to safeguard and recover if something did occur?
File sharing and duplicating: There are many risks associated with creating multiple copies of digital files, especially if a wrong or outdated version of a file results in production errors or product defects. You could implement procedures for versions of documents (when to use V2.1 as opposed to V3).
Use of old, unsupported technology: Many manufacturers are still using older computers for critical machines, often operating on older versions of Windows. The problem here is that these computers no longer receive updates, security patches, or technical support. This leaves the computer vulnerable due to the lack of security patches and could potentially leave you in a precarious position without access to technical support.
Simply Getting Started Will Create Momentum to Improve Your Security
Improving your business, operational and information security requires an investment in time. There are many ways to get started, such as:
Determine which equipment you have that is critical to operations
Walk around your facility to see how many machines you have on unsupported operating systems
Add computers to your equipment life-cycle planning
Determine what measures to take to limit exposure
Review your business practices with risk in mind
Putting a focus on business and operational security will be a lot like other process improvement initiatives; staff involvement and small wins will create momentum. Prioritize something to address immediately. It could be as simple as a lean office initiative to address printed materials (when to make copies, removing clutter on a daily basis, what goes into a recycle bin).
Your near-term deliverables might look like:
An outline for a risk assessment program
A list of practices and principles to implement
Identifying key recommendations for improvement
A summary that identifies the change in likelihood of exposure with improvements
Common Challenges Include Lack of Awareness, Priority on Security
Two of the most common challenges that manufacturers face in cybersecurity are lack of awareness and a lack of urgency. They may not be aware of compliance requirements, the complex threat landscape, or their supply chain vulnerabilities. If so, they may lack the incentive to be more proactive. They may also be resistant to change or fear disruption.
Many companies’ cyber culture is held back by:
Budgetary constraints: Many manufacturers rely on outdated infrastructure, such as IT operating systems and software. Some also rely on consumer-level products, which can keep costs down but may sacrifice the security and longevity of business-level products. Keeping pace with the latest IT often requires frequent investments.
Timing and use constraints: Manufacturers often focus on immediate needs, which is understandable to keep the operation running. There are many areas competing for attention when it comes to being more strategic and proactive, so cybersecurity often gets less attention.
Unfamiliarity: In addition to outdated equipment and a lack of planning, many manufacturers lack subject matter experts.
The most important step to remove challenges is by approaching them from a business continuity lens: What if that key piece of equipment is down for two days? Do you have backup plans to meet scheduling and production demands? Focus on process improvements and documenting business flow.
Your Local MEP Center Can Help You With Your Security
Awareness is key. You should examine your operational and business information to the same extent you do your equipment. Your local MEP Center can help you review your business system practices and procedures.
About the author
Cybersecurity Program Manager, Michigan Manufacturing Technology Center
Jeff’s work at Michigan Manufacturing Technology Center, which is part of the MEP National Network, includes leading efforts to educate and equip small and medium-sized manufacturers to guard against the growing threat of cyberattacks. He is involved with training other MEP Centers across the U.S.